isc.sensor.parser
Class StaticPortPacketCapture

java.lang.Object
  java.lang.Thread
      isc.sensor.parser.AbstractParser
          isc.sensor.parser.StaticPortPacketCapture

All Implemented Interfaces:

java.lang.Runnable

public class StaticPortPacketCapture
extends AbstractParser

A DNA Sensor Parser which captures selected whole packets for evaluating with tools compatible with tcpdump format. This parser works for both TCP and UDP procotols and is capable if creating a local pcap file (tcpdump format) or sending the packets to a repository (SQL-DB, JMS, Sockets, etc) via the output adaptor.

 
 Configuation File Options:
 --------------------------

 StaticPortPacketCapture.Ports:
         Value: Specify the list of ports or port ranges to capture seperated by a comma (,) 
                for example:  80,8080,3500-4000,20-30

StaticPortPacketCapture.Flags:  
         Value: Specify the TCP flags to capture, not used for UDP.
          for example data:  24,16   (data usually sent on these flags)  
 
StaticPortPackCapture.CreatePCAP:
         Value: True/False [False] - To specify whether to create a local pcap file.   
          True=create the local file; False sends the packets the output adaptor
 
StaticPortPacketCapture.OverwritePcap: 
         Value: True/False [False] To overwrite existing local pcap.  False will move the old file to [fname].bak[n]
 
StaticPortPacketCapture.Filename:
   Value: Local filename for pcap file. Default is [pasername].pcap

 Data Dictionary for Output Adaptor
----------------------------------
  DataObect Name: PcapPacket
  Attributes:

   Name            Type
   ---------       --------------
   time            String java.sql.Timestamp --- Some db's don't handle this correctly; should be: "YYYY-MM-DD HH:MM:SS[.fffffff]"
   milliseconds    long
   nanoseconds     integer
   sensorName      String
   interface       String
   sessionKey      String
   packetSize      integer
   packet          byte[]
 

Author:

John Casey
Project: DNA_sensor - @version

See Also:

AppProperties, AbstractParsers, PacketEvent, for creating pcap files from packets stored in a repository.

Nested Class Summary

Nested classes/interfaces inherited from class isc.sensor.parser.AbstractParser

AbstractParser.ParserState

Nested classes/interfaces inherited from class java.lang.Thread

java.lang.Thread.State, java.lang.Thread.UncaughtExceptionHandler

Field Summary

protected java.lang.String	_defaultfname default filename for local pcap
protected java.lang.String	_filename local pcap filename
protected boolean	_overwrite overwrite local pcap file flag
protected boolean	createPCAP create local pcap flag
protected byte[]	err
protected javacap	jp java libpcap processing class
protected static org.apache.log4j.Logger	log the logger
protected OAObjectManager	packetObj Output Adaptor

Fields inherited from class isc.sensor.parser.AbstractParser

flushCtr, PARSER_WORKQUEUE_SZ, parserState, props, readyState, TCP, UDP, workQueue

Fields inherited from class java.lang.Thread

MAX_PRIORITY, MIN_PRIORITY, NORM_PRIORITY

Constructor Summary

StaticPortPacketCapture()

Method Summary

protected void	close() close local pcap file or output adaptor
protected void	closeSession(SessionBean ses) One of three asyncrhonous callback methods sent to a parser.
protected void	init() Read system properties and setup configuration
void	init(int protocol) Create a new Static port packet capture - Get properties - Register ports
protected void	open() Open a local pcap file is requested by config file.
protected void	parse(PacketEvent ev) Take selected packet and write it out to the output adaptor or create a local pcap file.
protected void	writeOpenAdaptor(PacketEvent ev) Send the packet message to the output adaptors (SQL, JMS, File, etc) Data Obect Name = PcapPacket
protected void	writePcap(PacketEvent ev) Create a local pcap file from the captured packets.
protected void	writeSession(java.lang.String key) One of three asyncrhonous callback methods sent to a parser.

Methods inherited from class isc.sensor.parser.AbstractParser

_addPacketEvent, _flush, _initMgr, _notifyProc, _processWork, _ready, _setFinish, _writeSession, initEvents, isServer, run

Methods inherited from class java.lang.Thread

activeCount, checkAccess, countStackFrames, currentThread, destroy, dumpStack, enumerate, getAllStackTraces, getContextClassLoader, getDefaultUncaughtExceptionHandler, getId, getName, getPriority, getStackTrace, getState, getThreadGroup, getUncaughtExceptionHandler, holdsLock, interrupt, interrupted, isAlive, isDaemon, isInterrupted, join, join, join, resume, setContextClassLoader, setDaemon, setDefaultUncaughtExceptionHandler, setName, setPriority, setUncaughtExceptionHandler, sleep, sleep, start, stop, stop, suspend, toString, yield

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait

Field Detail

log

protected static org.apache.log4j.Logger log

the logger

packetObj

protected OAObjectManager packetObj

Output Adaptor

createPCAP

protected boolean createPCAP

create local pcap flag

jp

protected javacap jp

java libpcap processing class

_filename

protected java.lang.String _filename

local pcap filename

_overwrite

protected boolean _overwrite

overwrite local pcap file flag

_defaultfname

protected java.lang.String _defaultfname

default filename for local pcap

err

protected byte[] err

Constructor Detail

StaticPortPacketCapture

public StaticPortPacketCapture()

Method Detail

init

public void init(int protocol)

Create a new Static port packet capture
- Get properties
- Register ports

Specified by:

init in class AbstractParser

init

protected void init()

Read system properties and setup configuration

open

protected void open()

Open a local pcap file is requested by config file. ".CreatePCAP = true"

Specified by:

open in class AbstractParser

See Also:

AbstractParser.open()

close

protected void close()

close local pcap file or output adaptor

Specified by:

close in class AbstractParser

See Also:

AbstractParser.close()

writeSession

protected void writeSession(java.lang.String key)

Description copied from class: AbstractParser

One of three asyncrhonous callback methods sent to a parser. writeSession to tells a parser to write out an active session. A parser should be utilizing a hashing mechanism to keep track of in flight sessions.

Specified by:

writeSession in class AbstractParser

Parameters:

key - The key of the sesssion to be written.

See Also:

#parse(PacketEvent)

closeSession

protected void closeSession(SessionBean ses)

Description copied from class: AbstractParser

One of three asyncrhonous callback methods sent to a parser. closeSession event tells a parser that a session has reached a close state, but is not yet ready for writing.

Specified by:

closeSession in class AbstractParser

Parameters:

ses - The summary bean of closed

See Also:

AbstractParser.writeSession(String), AbstractParser.parse(PacketEvent)

parse

protected void parse(PacketEvent ev)

Take selected packet and write it out to the output adaptor or create a local pcap file.

Specified by:

parse in class AbstractParser

Parameters:

ev - The packet event to be processed

See Also:

AbstractParser.parse(isc.sensor.parser.PacketEvent)

writePcap

protected void writePcap(PacketEvent ev)

Create a local pcap file from the captured packets.

Parameters:

ev -

writeOpenAdaptor

protected void writeOpenAdaptor(PacketEvent ev)

Send the packet message to the output adaptors (SQL, JMS, File, etc)
Data Obect Name = PcapPacket

 Data Dictionary for [PcapPacket]
 
  Name            Type
  ---------       --------------
  time            String java.sql.Timestamp             // Some db's don't handle this correctly; should be: "YYYY-MM-DD HH:MM:SS[.fffffff]"  
  milliseconds    long                                                  
  nanoseconds     integer
  sensorName      String
  interface       String
  sessionKey      String
  packetSize      integer
  packet          byte[]
 

Parameters:

ev -